Scareware slingers stumped by Google secure search

Google made secure search the default option for logged in users last month – primarily for privacy protection reasons. But the move has had the beneficial side-effect of making life for difficult for fraudsters seeking to manipulate search engine rankings in order to promote scam sites, according to security researchers.

Users signed into Google were offered the ability to send search queries over secure (https) connections last month. This meant that search queries sent while using insecure networks, such as Wi-Fi hotspots, are no longer visible (and easily captured) by other users on the same network.

However Google also made a second (under-reported) change last month by omitting the search terms used to reach websites from the HTTP referrer header, where secure search is used. The approach means it has become harder for legitimate websites to see the search terms surfers fed through Google before reaching their website, making it harder for site to optimise or tune their content without using Google’s analytics service.

But the change in the referrer header makes life proportionately much more difficult for black hat SEO operators, who commonly use link farms and other tactics in an attempt to manipulate search results so that links to scareware portals appear prominently in the search results for newsworthy searches. Surfers who stray onto these sites will be warned of non-existent security problems in a bid to coax them into paying for fake anti-virus software of little or no utility.

Black hats thwarted

Fraudsters normally set up multiple routes through to scam sites. The changes introduced by Google when it launched secure search will leave them clueless about which approaches are bringing in prospective marks and which have failed. David Sancho, a senior threat researcher at Trend Micro, explains that it is very useful for black hat SEO-promoted sites to know which search term they have successfully hijacked, information that Google’s changes denies them.

“When these sites receive visits from search engine visitors, they will have no idea what search sent them there,” Sancho writes. “They won’t have a clear idea which search terms work and which don’t, so they are essentially in the dark. This can have a lot of impact on the effectiveness of their poisoning activities. This is, of course, good for Google as their search lists are cleaner but it’s also good for all users because they’ll be less likely to click on bad links from Google.”

Regular no-padlock HTTP searches remain unaltered. Search terms are only concealed where secure search is applied, which means surfers are already logged in to Google’s services.

“Given how many people already use Google Mail and Google+, this may not be such a big obstacle – but it still poses one,” Sancho explains. “If people keep using regular no-padlock HTTP searches, they will keep disclosing their search terms and keeping things unchanged.”

“The more people use HTTPS, the less information we’re giving the bad guys … one more reason to use secure connections to do your web searching,” he concludes.

Google introduced encrypted search last year but changes that came in last month that make it a default option for logged-in users will inevitably mean that it becomes more widely used, rather than the preserve of security-aware users who are unlikely to fall victim to scareware scams in the first place. ®